Technical Tip: Use URL-list or Wildcard in Server URL

Adryan_you · ‎12-03-2023

Description

This article describes how to configure Server URL-list or Wildcard in FortiProxy to bypass DNS Lookup in web forwarding proxy setup.

Scope

FortiProxy.

Solution

By default, in explicit proxy-chain setup, FortiProxy as child-proxy will perform DNS lookup for the intercepted client HTTP requests. Server URLs can be configured so that certain URLs (url-list) or all URLs (wildcard) bypass the DNS lookup in child-proxy.

The following example creates a URL list 'url-test-1', which will be used to bypass URLs 'example.com', 'red.com', and '*.fortinet.com' from DNS lookup in child-proxy. The URL list will be applied in the server URL setting.

config web-proxy url-list
edit "url-test-1"
config entries
edit 1
set url "example.com"
next
edit 2
set url "red.com"
next
edit 3
set url "*.fortinet.com"
set type wildcard
next
end
next
end

config web-proxy url-match
edit "SURL-01-URL-List"
set type list <--
set url-list "url-test-1" <--
set forward-server "Parent-Proxy-FPX"
next
end

WAD debug output shows that the DNS lookup does not occur when the user browses 'example.com', which matches the URL list:

diagnose wad debug enable category http
diagnose wad debug enable category policy
diagnose wad debug enable category dns
diagnose wad debug enable level verbose
diagnose wad filter src <IP>
diagnose debug console timestamp enable
diagnose debug enable

[I]2023-12-03 20:49:03.550655 wad_dump_http_request :2736 hreq=0x7f99448fda80 Received request from client: 10.100.4.131:64127

GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

....

[V]2023-12-03 20:49:03.550690 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0
[V]2023-12-03 20:49:03.550754 wad_url_match_find :167 order=1 hits=1 cache-x=0: 'SURL-01-URL-List' -> 'Parent-Proxy-FPX' <<==
[I]2023-12-03 20:49:03.551008 wad_http_req_policy_set :10268 match policy-id=2 <<====

Note:

WAD debug can cause a spike in resource utilization if used without any filter.

To stop WAD debugs after log collection, use the following command:

diagnose debug disable
diagnose debug reset
diagnose wad debug filter clear

The WAD debug log below shows DNS lookup occurs when the user tries to browse to 'bbc.com', which is not in the URL list.

Note:

If there is only one explicit proxy policy and the policy has web-forwarding enabled, user traffic is denied if the website is not in the URL list.

Example:

[I]2023-12-03 20:49:17.823592 wad_dump_http_request :2736 hreq=0x7f99448fd0b0 Received request from client: 10.100.4.131:64127

GET http://bbc.com/ HTTP/1.1
Host: bbc.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

.....

[V]2023-12-03 20:49:17.823627 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0
[V]2023-12-03 20:49:17.823635 wad_http_req_check_dns :75 hn=0x7f99446135e8 sn=(nil)
[I]2023-12-03 20:49:17.823639 wad_http_dns_resolve :7749 [0x7f99448fd0b0] DNS request name=bbc.com len=7 type/pref=0/0
[I]2023-12-03 20:49:17.911017 wad_http_dns_request_done :12390 [0x7f99448fd0b0] DNS resolved: 151.101.0.81
[V]2023-12-03 20:49:17.911112 wad_http_req_check_policy :11934 start match policy vd=0(ses_ctx:cx|Phx|Mde|Hhf|C|A7|Og) (10.110.1.46:44152@4->151.101.0.81:80@3) absUrl=1
[W]2023-12-03 20:49:17.911127 wad_fast_match_one :3686 No policy matched! <<=====
[I]2023-12-03 20:49:17.911134 wad_http_req_policy_set :10268 match policy-id=0
[E]2023-12-03 20:49:17.911538 wad_http_req_proc_policy :9943 POLICY DENIED <<=====

If it is wanted that all the URLs bypass DNS lookup in the child proxy, then configure the Server URL with wildcard type:

config web-proxy url-match
edit "SURL-02-Wildcard"
set type wildcard <--
set url-pattern "*" <--
set forward-server "Parent-Proxy-FPX"
next
end

The following debug log shows that both 'example.com' and 'bbc.com' are forwarded to the parent proxy without DNS lookup:

[I]2023-12-03 21:20:58.220010 wad_dump_http_request :2736 hreq=0x7fb74abf1ab8 Received request from client: 10.100.4.131:64282

GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
.....
.....

[V]2023-12-03 21:20:58.220022 wad_http_marker_uri :1305 scheme=http
[V]2023-12-03 21:20:58.220028 wad_http_marker_uri :1262 path=/ len=1
[I]2023-12-03 21:20:58.220074 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[V]2023-12-03 21:20:58.220084 wad_http_normalize_uri :2335 host_len=11 path_len=1 query_len=0
[V]2023-12-03 21:20:58.220105 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_c
ache=0 req_bypass=0
[V]2023-12-03 21:20:58.220186 wad_url_match_find :167 order=1 hits=18 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX'
....
....
[I]2023-12-03 21:20:58.220511 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64282@4 -> 10.110.3.140:80@6)

[I]2023-12-03 21:21:01.290563 wad_dump_http_request :2736 hreq=0x7fb74abf2970 Received request from client: 10.100.4.131:64285
CONNECT bbc.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
.....
.....

[I]2023-12-03 21:21:01.290575 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[I]2023-12-03 21:21:01.290586 wad_http_conn_req_classify :6031 no security profile HTTPS/HTTP, tport=443
[V]2023-12-03 21:21:01.290595 wad_url_match_find :167 order=1 hits=21 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX'
.....
.....
[I]2023-12-03 21:21:01.290627 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64285@4 -> 10.110.3.140:443@6)
[I]2023-12-03 21:21:01.290641 wad_http_req_proc_policy :9923 ses_ctx:x|Phx|Mde|Hhf|C|A7|O conn_srv=0 fwd_srv=Parent-Proxy-FPX

Technical Tip: Use URL-list or Wildcard in Server URL

You are leaving our website